Alan,
Sorry for the delay on getting back with a fuller response on this issue. I managed to fall off of my stack of issues. The KeyIdentifier in the CMS KEKIdentifier field is generated by the client and populated by the client. The field originally was not sent to the Plasma server as it was not thought necessary. When doing implementations, for some reason I can no longer remember I thought it was necessary so added it to the schema without also putting in the documentation. Since that point I have gone back to the point of wondering if the field is needed or not. It may be that it is just local to the client and never needs to be sent to the server. Part of the issue is a question on the ability to have two different KEK objects in a single MIME message that is done over multiple CMS objects each with a different KEKIdentifier (or the same one). If this is the case then it might be needed, but it would also require a couple of other changes that I have not completely worked out yet. Jim From: [email protected] [mailto:[email protected]] On Behalf Of Alan Borland Sent: Wednesday, July 18, 2012 1:32 AM To: [email protected] Subject: [plasma] Who creates the 'keyIdentifier'? I'm trying to understand who generates the 'KeyIdentifier' element in the 'KEKIdentifier' structure of the 'RecipientInfo' created by the client. Is it the client? The Plasma CMS Processing document, Page 8, describes how the 'KeyIdentifier' is a random generated value (Created by the client?). Is it the Plasma Server? On Page 13 the KekIdentifier is a value that matches the KEKIdentifier.KeyIdentifier value in the recipient info information (I have read this to mean that the EPS-LockBox version must match the KeyIdentifier in the envelopedData created by the client, meaning the KeyIdentifer must be transported between client and plasma server). >From this I thought the client created the random value and passed it across to the server inside the 'GetCMSToken' request. However, I can't see this described in the request. Is this missing from the request documentation, or does this Imply that the client has to extract the KeyIdentifer from the EPS-KEK returned in the GetCMSToken response, but this is encrypted and only the Plasma Server has access to this. Or have I mis-read this completely? Alan. Boldon James.
_______________________________________________ plasma mailing list [email protected] https://www.ietf.org/mailman/listinfo/plasma
